FreeScout Cross-Site Scripting Vulnerability Leading to Cross-Site Request Forgery

A stored cross-site scripting vulnerability has been identified in FreeScout versions prior to 1.8.180. This issue arises from improper input validation and sanitization of user data in mail signatures, allowing attackers to inject arbitrary HTML, including JavaScript. Such injections could be exploited to steal sensitive information, hijack user sessions, or perform other malicious actions. Furthermore, if an administrator interacts with an email containing a compromised signature, it could trigger a cross-site request forgery vulnerability.

Impact

Exploitation of this vulnerability allows for cross-site scripting, which could be used to execute malicious scripts in the context of the user's browser. If an administrator is exposed to the injected script, it could lead to cross-site request forgery, potentially allowing an attacker to escalate privileges.

Reproduction

To reproduce this vulnerability, first, inject a script into the signature field via the mailbox settings. This can be done by sending a POST request to the '/mailbox/settings/1' endpoint with a signature that includes a script tag or other dangerous HTML. Once the signature is saved, an administrator must access an email in the mailbox where the signature was modified. This interaction will trigger the injected script, demonstrating the cross-site scripting vulnerability.

Remediation

Users can update to FreeScout version 1.8.180 or later, where this vulnerability has been patched.